基于时空主成分分析的恶意加密流量检测技术*
网络安全与数据治理 10期
孟 楠,周成胜,赵 勋,王 斌,姜乔木
(1.中国信息通信研究院安全研究所,北京100191;2.广州汇智通信技术有限公司,广东广州510639)
摘要:恶意加密流量检测对关键信息基础设施的可靠运行至关重要,也是应对DDoS攻击等网络威胁的有效手段。利用时空主成分分析技术,构建了时间维度和空间维度的网络流量变化模型,实现恶意加密流量的实时检测和追踪溯源。在时间维度,利用历史积累的网络流量监测信息进行主成分分析,构建瞬时流量预测模型与实际监测流量之间的平方预测误差,判定网络中出现恶意加密流量的时刻。在空间维度,利用历史积累的各国家和地区的网络流量监测数据,构建区域流量预测模型与实际监测流量之间的平方预测误差,对恶意加密流量的来源地进行追踪溯源。最后,设计了一种可用于现网部署的算法实现流程,并分析了相比其他已有算法带来的能力提升。
中图分类号:TP393.08
文献标识码:A
DOI:10.19358/j.issn.2097-1788.2023.10.006
引用格式:孟楠,周成胜,赵勋,等.基于时空主成分分析的恶意加密流量检测技术[J].网络安全与数据治理,2023,42(10):33-39.
文献标识码:A
DOI:10.19358/j.issn.2097-1788.2023.10.006
引用格式:孟楠,周成胜,赵勋,等.基于时空主成分分析的恶意加密流量检测技术[J].网络安全与数据治理,2023,42(10):33-39.
Detection of malicious encrypted network traffic based on temporal and spatial principal component analysis
Meng Nan1,Zhou Chengsheng1,Zhao Xun 1,Wang Bin 2,Jiang Qiaomu 2
(1.Institute of Security, The China Academy of Information and Communications Technology, Beijing 100191, China; 2.Guangzhou Intelligence Communication Technology Co., Ltd., Guangzhou 510639, China)
Abstract:Monitoring and warning of malicious encrypted network traffic is essential for the reliability of critical information infrastructure, which is also an effective method against cyberattacks, such as Distributed Denial of Service (DDoS) attacks. In this paper, malicious encrypted network traffic is monitored and traced by constructing the temporal and spatial network traffic variation model with the Principal Component Analysis (PCA) technique. From a temporal perspective, the PCA technique is operated on historical network traffic monitoring information to construct the Squared Prediction Error (SPE) between temporal model prediction and the measurement of network traffic. The moment that malicious encrypted network traffic behavior occurs can be declared as instantaneous SPE exceeds the predefined threshold. From a spatial perspective, the PCA technique is operated on historical network traffic monitoring information of various countries and regions. The source region of malicious encrypted network traffic can be traced by evaluating the SPE between the spatial model prediction and the measurement of network traffic of each country or region. Finally, a practical algorithm for malicious encrypted network traffic behavior detection is designed. The capacity improvement of the proposed algorithm comparing with existing algorithms is analyzed.
Key words :temporal and spatial principal component analysis; monitoring of malicious encrypted network traffic; trace; squared prediction error
0 引言
随着互联网、大数据、云计算等新兴信息技术的快速发展,网络规模呈现指数级、爆发式增长趋势,社会各行各业开始广泛地应用互联网技术开展工作,网络的稳定可靠运行对社会平稳运行和快速发展具有重要意义。
为保障网络稳定可靠运行,需要通过部署网络流量监测设备(如流量探针)对特定网络出入口的流量进行多维度实时监测,将关键网络节点的流量数据通过镜像或分光的方式进行采集,并发送至网络安全分析监测系统,然后对网络流量行为、传输协议和数据内容进行深度包解析,通过与内置的安全威胁情报库进行匹配,从而对恶意加密流量行为实现实时检测和预警[1]。
本文详细内容请下载:https://www.chinaaet.com/resource/share/2000005736
作者信息:
孟楠1,周成胜1,赵勋1,王斌2,姜乔木2
(1.中国信息通信研究院安全研究所,北京100191;2.广州汇智通信技术有限公司,广东广州510639)
此内容为AET网站原创,未经授权禁止转载。